Bug 2335897 (CVE-2024-56762)

Summary: CVE-2024-56762 kernel: io_uring/sqpoll: fix sqpoll error handling races
Product: [Other] Security Response Reporter: OSIDB Bzimport <bzimport>
Component: vulnerabilityAssignee: Product Security DevOps Team <prodsec-dev>
Status: NEW --- QA Contact:
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: unspecifiedCC: dfreiber, drow, jburrell, vkumar
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
[REJECTED CVE] A use-after-free (UAF) vulnerability was identified in the Linux kernel’s io_uring subsystem, specifically in SQPOLL error handling. If io_uring_alloc_task_context() fails while io_sq_thread() runs and completes before the error handling executes, io_sq_thread_finish() may attempt to access an already freed task, leading to potential system instability. While the issue is mostly theoretical and requires fault injection to trigger, could lead to crashes or unpredictable behavior.
 Story Points: ---
Clone Of: Environment:
Last Closed: Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description OSIDB Bzimport 2025-01-06 17:01:44 UTC 
In the Linux kernel, the following vulnerability has been resolved:

io_uring/sqpoll: fix sqpoll error handling races

BUG: KASAN: slab-use-after-free in __lock_acquire+0x370b/0x4a10 kernel/locking/lockdep.c:5089
Call Trace:
<TASK>
...
_raw_spin_lock_irqsave+0x3d/0x60 kernel/locking/spinlock.c:162
class_raw_spinlock_irqsave_constructor include/linux/spinlock.h:551 [inline]
try_to_wake_up+0xb5/0x23c0 kernel/sched/core.c:4205
io_sq_thread_park+0xac/0xe0 io_uring/sqpoll.c:55
io_sq_thread_finish+0x6b/0x310 io_uring/sqpoll.c:96
io_sq_offload_create+0x162/0x11d0 io_uring/sqpoll.c:497
io_uring_create io_uring/io_uring.c:3724 [inline]
io_uring_setup+0x1728/0x3230 io_uring/io_uring.c:3806
...

Kun Hu reports that the SQPOLL creating error path has UAF, which
happens if io_uring_alloc_task_context() fails and then io_sq_thread()
manages to run and complete before the rest of error handling code,
which means io_sq_thread_finish() is looking at already killed task.

Note that this is mostly theoretical, requiring fault injection on
the allocation side to trigger in practice.
Comment 1 Robb Gatica 2025-01-06 19:16:43 UTC 
Upstream advisory:
https://lore.kernel.org/linux-cve-announce/2025010654-CVE-2024-56762-9a9f@gregkh/T
Comment 2 TEJ RATHI 2025-02-20 11:12:38 UTC 
This CVE has been rejected upstream:
https://lore.kernel.org/linux-cve-announce/2025010720-REJECTED-2931@gregkh/